Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-646

SLAPD consuming loads of CPU

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Won't Fix
    • Component/s: ldap
    • Labels:
      None
    • Similar Issues:

      Description

      Same issue as INFRA-316:

      I was copying from another system that "just worked" for similar kinds of workloads. So you might be able to pare these indexes back a bit. But LDAP is a read heavy workload - so apart from initial setup costs, over-indexing is not a huge deal.

      (ldapmodify is supposed to be used - but I didn't)

      /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif
      olcDbIndex: ou,cn,mail,surname,givenname      eq,pres,sub
      olcDbIndex: uniqueMember                      eq
      
      reindexing
      /etc/init.d/slapd stop
      slapindex
      chown -R openldap:openldap /var/lib/ldap
      /etc/init.d/slapd start
      

        Attachments

          Activity

          Hide
          rtyler R. Tyler Croy added a comment -

          Before I square this away, I'll need to fix the Puppet errors from t he ldap host:

          Error: /Stage[main]/Profile::Ldap/Openldap::Server::Database[dc=jenkins-ci,dc=org]/Openldap_database[dc=jenkins-ci,dc=org]: Could not evaluate: LDIF content:
          dn: olcDatabase={1}hdb,cn=config
          changetype: modify
          replace: olcRootPW
          olcRootPW: {SSHA}REDACTED
          -
          
          Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_database20160422-14835-utsm58' returned 80: SASL/EXTERNAL authentication started
          SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
          SASL SSF: 0
          ldap_modify: Other (e.g., implementation specific) error (80)
          modifying entry "olcDatabase={1}hdb,cn=config"
          
          Show
          rtyler R. Tyler Croy added a comment - Before I square this away, I'll need to fix the Puppet errors from t he ldap host: Error: /Stage[main]/Profile::Ldap/Openldap::Server::Database[dc=jenkins-ci,dc=org]/Openldap_database[dc=jenkins-ci,dc=org]: Could not evaluate: LDIF content: dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}REDACTED - Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi: /// -f /tmp/openldap_database20160422-14835-utsm58' returned 80: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_modify: Other (e.g., implementation specific) error (80) modifying entry "olcDatabase={1}hdb,cn=config"
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: R. Tyler Croy
          Path:
          dist/profile/manifests/ldap.pp
          spec/classes/profile/ldap_spec.rb
          http://jenkins-ci.org/commit/jenkins-infra/58fb49678325c13609cf04eac04e2fc4cbec7e0b
          Log:
          Incorporate the DB indices that were manually added a while back to ldap

          These were added by @benwalding after we migrated ldap. It turns out that we had
          enough hardware "before" that we never really needed to care about indices. We
          do now though!

          References INFRA-646

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: R. Tyler Croy Path: dist/profile/manifests/ldap.pp spec/classes/profile/ldap_spec.rb http://jenkins-ci.org/commit/jenkins-infra/58fb49678325c13609cf04eac04e2fc4cbec7e0b Log: Incorporate the DB indices that were manually added a while back to ldap These were added by @benwalding after we migrated ldap. It turns out that we had enough hardware "before" that we never really needed to care about indices. We do now though! References INFRA-646
          Hide
          rtyler R. Tyler Croy added a comment -

          I have addressed the indices in this pull request but the issue with applying Puppet manifests on the ldapserver seems to stem from a potential rootpw mismatch between what the hsot has and what is in hiera.

          I've pinged Kohsuke Kawaguchi out-of-band to help verify t hat this machine was setup with the right rootpw for LDAP when he did the migration.

          Show
          rtyler R. Tyler Croy added a comment - I have addressed the indices in this pull request but the issue with applying Puppet manifests on the ldapserver seems to stem from a potential rootpw mismatch between what the hsot has and what is in hiera. I've pinged Kohsuke Kawaguchi out-of-band to help verify t hat this machine was setup with the right rootpw for LDAP when he did the migration.

            People

            Assignee:
            rtyler R. Tyler Croy
            Reporter:
            bwalding Ben Walding
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: